A researcher reverse-engineered the Honeywell X2S Smart Thermostat, which uses a Renesas Cortex-M33 MCU with TrustZone and a Realtek Wi-Fi/BLE SoC, both with encrypted flash storage. By building a custom pogo-pin breakout board and exploiting the Realtek chip's RSIP decrypt-on-the-fly feature, the researcher accessed the firmware and discovered a TLS certificate issue enabling man-in-the-middle attacks and a PRNG seeding bug that allows session key recovery. The Renesas MCU firmware remains to be fully decrypted, but the findings highlight serious IoT security weaknesses.
Sort: